I did notice the grep is wrong, however running a simple "netstat -an | grep divert" still does not list the divert referenced in the Suricata logs on OpenBSD, the same command on FreeBSD (which I believe uses a similar facility) returns the divert as expected. I set the bind port to 700 as referenced in the OpenBSD port docs, but I did try values above 1024 in the off chance that there was an issue binding and it made no difference (no errors are thrown in the Suricata logs in either case regardless of how verbose they are set):
OpenBSD: beastie# uname -a OpenBSD beastie.cipherpunk.com 7.8 GENERIC.MP#1 amd64 beastie# ps aux | grep suri _suricat 72976 29.5 6.2 1044344 1024672 ?? Sp 6:42AM 0:11.06 /usr/local/bin/suricata -D -d 700 beastie# netstat -an | grep divert beastie# FreeBSD: root@freebsd:~ # uname -a FreeBSD freebsd 15.0-RELEASE FreeBSD 15.0-RELEASE releng/15.0-n280995-7aedc8de6446 GENERIC arm64 root@freebsd:~ # ps aux | grep suri root 2473 0.2 33.6 1965952 1401028 - Ss 23:55 0:34.59 /usr/local/bin/suricata -D -d 8000 --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml root 3504 0.0 0.1 13052 2408 0 S+ 00:38 0:00.00 grep suri root@freebsd:~ # netstat -an | grep divert divert4 0 0 *.8000 *.* On Tue, Feb 3, 2026 at 2:45 AM Alexander Bluhm <[email protected]> wrote: > On Sat, Jan 31, 2026 at 01:08:36PM -0800, William B. wrote: > > I am showing no divert listener for the Suricata package despite > following > > the package documentation and the listener itself being referenced in the > > Suricata log output. > > Looks like divert packet sockets are not exported by kernel. Diff > below adds this feature. > > root@ot29:.../~# suricata -d 700 > i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode > W: detect: No rule files match the pattern > /var/suricata/rules/suricata.rules > W: detect: 1 rule files specified, but no rules were loaded! > i: threads: Threads created -> RX: 1 W: 6 TX: 1 FM: 1 FR: 1 Engine > started. > > root@ot29:.../~# netstat -an -p divert > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address > IP-Proto > divert 0 0 *.700 *.* 0 > > > This prevents IPS functionality from working. > > No, there must be some other reason, why it does not work for you. > > > There is no such listener: > > netstat -an | grep LISTEN > > It is not a LISTEN socket, they only exists fot TCP. Your grep is > wrong. > > bluhm > > Index: kern/kern_sysctl.c > =================================================================== > RCS file: /mount/openbsd/cvs/src/sys/kern/kern_sysctl.c,v > diff -u -p -r1.483 kern_sysctl.c > --- kern/kern_sysctl.c 23 Sep 2025 08:00:48 -0000 1.483 > +++ kern/kern_sysctl.c 3 Feb 2026 10:29:05 -0000 > @@ -100,6 +100,7 @@ > #include <netinet/tcp_var.h> > #include <netinet/udp.h> > #include <netinet/udp_var.h> > +#include <netinet/ip_divert.h> > #include <netinet6/ip6_var.h> > > #ifdef DDB > @@ -1768,6 +1769,12 @@ do { > \ > FILLINPTABLE(&rawcbtable); > #ifdef INET6 > FILLINPTABLE(&rawin6pcbtable); > +#endif > +#if NPF > 0 > + FILLINPTABLE(&divbtable); > +#ifdef INET6 > + FILLINPTABLE(&divb6table); > +#endif > #endif > } > fp = NULL; >
